From owner-freebsd-stable@FreeBSD.ORG Wed Sep 6 06:32:09 2006 Return-Path: X-Original-To: freebsd-stable@freebsd.org Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 242F116A4E2; Wed, 6 Sep 2006 06:32:09 +0000 (UTC) (envelope-from ast@marabu.ch) Received: from oneplusone.ch (oneplusone.ch [212.55.208.170]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2141E43D6E; Wed, 6 Sep 2006 06:32:03 +0000 (GMT) (envelope-from ast@marabu.ch) Received: from oneplusone.ch (localhost [127.0.0.1]) by oneplusone.ch (8.13.6/8.13.6) with ESMTP id k866W1PD056275 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 6 Sep 2006 08:32:02 +0200 (CEST) (envelope-from ast@marabu.ch) Received: (from uucp@localhost) by oneplusone.ch (8.13.6/8.13.6/Submit) with UUCP id k866W176056274; Wed, 6 Sep 2006 08:32:01 +0200 (CEST) (envelope-from ast@marabu.ch) Received: from pano.marabu.ch (localhost [127.0.0.1]) by pano.marabu.ch (8.13.6/8.13.6) with ESMTP id k866TDg5045087; Wed, 6 Sep 2006 08:29:13 +0200 (CEST) (envelope-from ast@pano.marabu.ch) Received: (from ast@localhost) by pano.marabu.ch (8.13.6/8.13.6/Submit) id k866TDvL045086; Wed, 6 Sep 2006 08:29:13 +0200 (CEST) (envelope-from ast) Date: Wed, 6 Sep 2006 08:29:13 +0200 From: Adrian Steinmann To: freebsd-stable@freebsd.org Message-ID: <20060906062912.GA44900@webgroup.ch> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-2.0.2 (oneplusone.ch [127.0.0.1]); Wed, 06 Sep 2006 08:32:02 +0200 (CEST) X-Mailfilter: egfilter version 1.14; Archiver [msg.gLtkp1LL] (oneplusone.ch [127.0.0.1]); Wed, 06 Sep 2006 08:32:02 +0200 (CEST) X-AntiVirus: checked by AntiVir Milter (version: 1.1.2-1; AVE: 7.1.1.11; VDF: 6.35.1.188; host: oneplusone.ch) Cc: mr@freebsd.org, pjd@freebsd.org Subject: FAST_IPSEC + device padlock + device crypto + IKE broken? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Sep 2006 06:32:09 -0000 In my kernel config, I have options FAST_IPSEC device padlock device crypto which enables the crypto acceleration in VIA C3 and C7 CPUs. IPSEC with static rijndael-cbc keys of length 128, 192, and 256 makes use of the acceleration when sysctl net.inet.ipsec.crypto_support=1; - so far, so good. Yet when I configure racoon from ipsec-tools, racoon2, or iked for dynamic keying, I get a "PFKEYv2 UPDATE" (or similar) failure. When I set net.inet.ipsec.crypto_support=0 these same dynamic ike key configurations work, albeit without HW crypto accelleration. Has anyone else observed this and know what the problem is? Adrian